Adding Omnibus image

Author: Wogan May

.github/workflows/build-omnibus.yml

@@ -0,0 +1,95 @@
+name: Build Omnibus
+
+on:
+  push:
+    branches: [ "main" ]
+    tags: [ 'v*.*' ]
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set build variables
+        id: build_vars
+        run: |
+          echo "IMAGE_NAME=${IMAGE_NAME,,}" >> $GITHUB_ENV
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        with:
+          cosign-release: 'v2.2.4'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: omnibus
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-omnibus:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-omnibus:${{ github.ref_name }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

README.md

@@ -22,6 +22,10 @@ This repo generates a Docker image that includes:
   * `artisan schedule:run` every minute via Supervisor
   * `openssh-client` for the `ssh` and `scp` commandline utilities
 
+* In the Omnibus image:
+  * The App + Worker images combined
+  * Includes apache, php-fpm and supervisor for Horizon
+
 These images publish to a public repository.
 
 ## Sample: Dockerfile for App container
@@ -42,7 +46,7 @@ CMD ["apache2-foreground"]
 
 This build assumes that the Dockerfile is relative to your project root, so that index.php copies into /var/www/html/ on the container.
 
-## Sample: Dockerfile for Worker container
+## Sample: Dockerfile for Worker/Omnibus container
 
 ```Dockerfile
 FROM ghcr.io/woganmay/laravel-runtime-worker:latest
@@ -53,4 +57,4 @@ WORKDIR /var/www/html
 COPY --chown=runtime . /var/www/html
 ```
 
-This build assumes that the Dockerfile is relative to your project root, so that index.php copies into /var/www/html/ on the container.
+This build assumes that the Dockerfile is relative to your project root, so that index.php copies into /var/www/html/ on the container.

omnibus/000-default.conf

@@ -0,0 +1,32 @@
+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        ServerName app
+        DocumentRoot /var/www/html/public
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        <Directory "/var/www/html/public">
+                <IfModule mod_rewrite.c>
+                    <IfModule mod_negotiation.c>
+                        Options -MultiViews -Indexes
+                    </IfModule>
+
+                    RewriteEngine On
+
+                    # Handle Authorization Header
+                    RewriteCond %{HTTP:Authorization} .
+                    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+                    # Redirect Trailing Slashes If Not A Folder...
+                    RewriteCond %{REQUEST_FILENAME} !-d
+                    RewriteCond %{REQUEST_URI} (.+)/$
+                    RewriteRule ^ %1 [L,R=301]
+
+                    # Send Requests To Front Controller...
+                    RewriteCond %{REQUEST_FILENAME} !-d
+                    RewriteCond %{REQUEST_FILENAME} !-f
+                    RewriteRule ^ index.php [L]
+                </IfModule>
+        </Directory>
+
+</VirtualHost>

omnibus/Dockerfile

@@ -0,0 +1,44 @@
+FROM php:8.3-apache
+# TODO: FROM php:8.3-cli
+
+WORKDIR /var/www/html
+
+RUN mkdir -p /usr/local/lib/php/extensions/no-debug-non-zts-20230831/modules
+
+# Install the PostgreSQL PDO extension
+# Docs: https://github.com/mlocati/docker-php-extension-installer
+RUN apt-get update && \
+    apt-get install wget && \
+    echo 'deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt trixie-pgdg main' > /etc/apt/sources.list.d/pgdg.list && \
+    wget --quiet -O /usr/share/keyrings/postgresql.gpg https://www.postgresql.org/media/keys/ACCC4CF8.asc && \
+    apt-get update && \
+    apt-get install -y libpq-dev libzip-dev libjpeg-dev libpng-dev libwebp-dev libfreetype-dev libcurl4-openssl-dev libxml2-dev libonig-dev libssh2-1-dev supervisor openssh-client postgresql-client-17 default-mysql-client && \
+    pecl install redis-6.0.2 ssh2-1.4.1 && \
+    docker-php-ext-configure gd --with-jpeg --with-webp --with-freetype && \
+    docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql && \
+    docker-php-ext-install pgsql pdo pdo_pgsql zip pcntl bcmath curl dom mbstring pdo_mysql mysqli && \
+    docker-php-ext-install gd && \
+    docker-php-ext-enable redis bcmath curl dom mbstring ssh2 && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install the latest Composer
+RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
+    php -r "if (hash_file('sha384', 'composer-setup.php') === 'ed0feb545ba87161262f2d45a633e34f591ebb3381f2e0063c345ebea4d228dd0043083717770234ec00c5a9f9593792') { echo 'Installer verified'.PHP_EOL; } else { echo 'Installer corrupt'.PHP_EOL; unlink('composer-setup.php'); exit(1); }" && \
+    php composer-setup.php --install-dir=/usr/bin/ --filename=composer && \
+    php -r "unlink('composer-setup.php');"
+
+# Copy our prod-ready configs in
+COPY ./security.conf /etc/apache2/conf-available/security.conf
+COPY ./php.ini /usr/local/etc/php/php.ini
+COPY ./000-default.conf /etc/apache2/sites-available/000-default.conf
+RUN a2enmod rewrite
+
+# Create a non-root runtime user with group 33 (apache's www-data group)
+RUN groupadd --force -g 33 runtime
+RUN useradd -ms /bin/bash --no-user-group -g 33 -u 1337 runtime
+
+# Add a config to run php artisan horizon against the mounted source code and keep that alive
+COPY ./supervisord.conf /etc/supervisor/supervisord.conf
+
+# Run supervisor on start
+CMD ["/usr/bin/supervisord"]

omnibus/php.ini

@@ -0,0 +1,124 @@
+[PHP]
+engine = On
+short_open_tag = Off
+precision = 14
+output_buffering = 4096
+zlib.output_compression = Off
+implicit_flush = Off
+unserialize_callback_func =
+serialize_precision = -1
+disable_functions =
+disable_classes =
+zend.enable_gc = On
+zend.exception_ignore_args = On
+zend.exception_string_param_max_len = 0
+expose_php = Off
+max_execution_time = 30
+max_input_time = 60
+memory_limit = 128M
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_errors = Off
+display_startup_errors = Off
+log_errors = On
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+report_memleaks = Off
+variables_order = "GPCS"
+request_order = "GP"
+register_argc_argv = Off
+auto_globals_jit = On
+post_max_size = 8M
+auto_prepend_file =
+auto_append_file =
+default_mimetype = "text/html"
+default_charset = "UTF-8"
+doc_root =
+user_dir =
+enable_dl = Off
+file_uploads = On
+upload_max_filesize = 2M
+max_file_uploads = 20
+allow_url_fopen = On
+allow_url_include = Off
+default_socket_timeout = 60
+
+[CLI Server]
+cli_server.color = On
+
+[Date]
+date.timezone = UTC
+
+[Pdo_mysql]
+pdo_mysql.default_socket=
+
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+
+[MySQLi]
+mysqli.max_persistent = -1
+mysqli.allow_persistent = On
+mysqli.max_links = -1
+mysqli.default_port = 3306
+mysqli.default_socket =
+mysqli.default_host =
+mysqli.default_user =
+mysqli.default_pw =
+
+[mysqlnd]
+mysqlnd.collect_statistics = On
+mysqlnd.collect_memory_statistics = Off
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 1
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 26
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 5
+
+[Assertion]
+zend.assertions = -1
+
+[Tidy]
+tidy.clean_output = Off
+
+[soap]
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_ttl=86400
+soap.wsdl_cache_limit = 5
+
+[ldap]
+ldap.max_links = -1

omnibus/security.conf

@@ -0,0 +1,3 @@
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off

omnibus/supervisord.conf

@@ -0,0 +1,20 @@
+[supervisord]
+nodaemon=true
+
+[program:worker]
+process_name=worker
+command=php /var/www/html/artisan horizon
+autostart=true
+autorestart=true
+user=runtime
+stdout_logfile=/var/www/html/storage/worker.log
+stderr_logfile=/var/www/html/storage/worker.err
+
+[program:scheduler]
+process_name=worker
+command=/bin/bash -c "while true; do php /var/www/html/artisan schedule:run --verbose --no-interaction; sleep 60; done"
+autostart=true
+autorestart=unexpected
+user=runtime
+stdout_logfile=/var/www/html/storage/scheduler.log
+stderr_logfile=/var/www/html/storage/scheduler.err